용어집

Argon2

Argon2 Key Derivation Function

The winner of the Password Hashing Competition, designed to be memory-hard and resistant to GPU cracking attacks.

Certificate Pinning

TLS Certificate Pinning

A technique that associates a host with its expected certificate, preventing man-in-the-middle attacks with forged certificates.

Checksum

체크섬 (데이터 무결성 검증)

특정 알고리즘을 사용하여 데이터 블록에서 계산된 값으로, 저장 또는 전송 중 데이터가 손상되거나 변경되지 않았는지 확인하기 위한 지문 역할을 합니다.

Clickjacking

UI Redress Attack

An attack that tricks users into clicking hidden elements by overlaying invisible frames on top of legitimate page content.

CSRF

Cross-Site Request Forgery

An attack tricking an authenticated user into submitting unintended requests to a web application.

CVE

Common Vulnerabilities and Exposures

A standardized catalog of publicly known security vulnerabilities, each assigned a unique CVE-YYYY-NNNNN identifier.

DDoS

Distributed Denial of Service

An attack that overwhelms a server or network with traffic from many distributed sources, making it unavailable to legitimate users.

Entropy

Password Entropy

A measure of randomness or unpredictability in a password, expressed in bits, indicating resistance to guessing.

PGP

PGP (Pretty Good Privacy)

대칭 및 비대칭 암호화를 결합하여 이메일, 파일, 데이터의 기밀성, 인증, 무결성을 분산형 신뢰 웹 모델 기반으로 제공하는 암호화 시스템입니다.

TOTP

Time-based One-Time Password

A temporary passcode generated from a shared secret and the current time, used in two-factor authentication.

RSA

RSA (Rivest-Shamir-Adleman)

큰 소수의 인수분해 수학적 어려움에 기반한 널리 사용되는 비대칭 암호화 알고리즘으로, 비밀 키를 공유하지 않고도 안전한 키 교환, 디지털 서명, 암호화 통신을 가능하게 합니다.

SSL/TLS

SSL/TLS (Secure Sockets Layer / Transport Layer Security)

클라이언트(브라우저)와 서버 간의 데이터를 암호화하고, 서버의 신원을 인증하며, 전송 중 데이터 무결성을 보장하여 인터넷 통신을 보호하는 암호화 프로토콜입니다.

Steganography

스테가노그래피 (숨겨진 데이터 삽입)

이미지, 오디오 트랙, 동영상 같은 일반적인 파일 안에 메시지나 데이터를 숨겨서 일반 관찰자에게 숨겨진 정보의 존재가 드러나지 않게 하는 기술입니다.

Password Hashing

비밀번호 해싱 (안전한 자격 증명 저장)

평문 비밀번호를 고정 길이의 비가역적 해시 값으로 변환하여 저장하는 과정으로, 데이터베이스가 유출되더라도 원래 비밀번호를 쉽게 복구할 수 없도록 보장합니다.

QR Code

QR 코드 (Quick Response Code)

텍스트, URL, 연락처 정보 또는 기타 데이터를 인코딩할 수 있는 격자 패턴으로 배열된 흑백 정사각형 모듈로 구성된 2차원 바코드로, 스마트폰 카메라와 전용 스캐너로 읽을 수 있습니다.

HMAC

HMAC (Hash-Based Message Authentication Code)

비밀 키와 결합된 암호화 해시 함수를 사용하여 메시지 인증 코드를 생성하는 특정 구조로, 메시지의 데이터 무결성과 진위성을 모두 검증합니다.

Key Derivation

Key Derivation Function

A function that derives one or more secret keys from a password or passphrase using a pseudorandom function.

Salt

Cryptographic Salt

Random data added to a password before hashing to ensure identical passwords produce different hashes.

Public Key

Public Key Cryptography

A cryptographic system using paired keys where the public key encrypts and only the private key can decrypt.

XSS

Cross-Site Scripting

An attack injecting malicious scripts into web pages viewed by other users, stealing data or session tokens.

OWASP Top 10

OWASP Top Ten Web Risks

A regularly updated list of the ten most critical web application security risks, published by the Open Web Application Security Project.

SQL Injection

SQL Injection Attack

Inserting malicious SQL code into application queries to access, modify, or delete database data.

Command Injection

OS Command Injection

An attack passing arbitrary operating system commands through a vulnerable application to the host system.

Path Traversal

Directory Traversal Attack

Exploiting insufficient input validation to access files outside the intended directory using ../ sequences.

Penetration Testing

Penetration Testing (Pentest)

Simulating real-world attacks against a system to identify security vulnerabilities before malicious actors do.

Threat Modeling

Security Threat Modeling

A structured process for identifying potential threats, attack vectors, and mitigations during system design.

Defense in Depth

Defense in Depth Strategy

A security approach using multiple layers of protection so that if one layer fails, others still provide defense.

Insecure Deserialization

A vulnerability where untrusted data is deserialized without validation, potentially enabling remote code execution.

XXE

XML External Entity Attack

An attack exploiting XML parsers to access local files, perform SSRF, or cause denial of service via entity expansion.

SRI

Subresource Integrity

An HTML attribute providing a cryptographic hash to verify that fetched resources have not been tampered with.

CORS Misconfiguration

CORS Security Misconfiguration

Overly permissive CORS headers allowing unauthorized origins to read sensitive API responses in the browser.

Sensitive Data Exposure

A vulnerability where applications fail to adequately protect sensitive data like passwords, tokens, or PII in transit or at rest.

HSTS

HTTP Strict Transport Security

An HTTP header instructing browsers to only connect via HTTPS, preventing protocol downgrade attacks.

Zero-Day

Zero-Day Vulnerability

A software vulnerability unknown to the vendor and without a patch, actively exploited before a fix is available.

SSRF

Server-Side Request Forgery

An attack making the server send requests to unintended internal or external resources on behalf of the attacker.

RBAC

Role-Based Access Control

An authorization model that assigns permissions to roles rather than individual users, simplifying access management at scale.

PKI

Public Key Infrastructure

A framework of certificate authorities, digital certificates, and key pairs that enables secure encrypted communication and identity verification.

WAF

Web Application Firewall

A security layer that filters HTTP traffic between a web application and the internet, blocking common attacks like SQL injection and XSS.

Nonce

Number Used Once

A random or sequential value used exactly once in cryptographic operations to prevent replay attacks and ensure message freshness.

E2EE

End-to-End Encryption

A communication system where only the sender and recipient can read messages, with encryption keys never accessible to intermediary servers.

FIDO2

Fast Identity Online 2

An authentication standard enabling passwordless login through hardware security keys or biometrics using public key cryptography.

Sandbox

Security Sandbox

An isolated execution environment that restricts a program's access to system resources, limiting the impact of malicious code.

SHA-256

SHA-256 (Secure Hash Algorithm 256-bit)

모든 입력에서 고정된 256비트(32바이트) 다이제스트를 생성하는 암호화 해시 함수로, 데이터 무결성 검증, 디지털 서명, 블록체인, 비밀번호 저장에 널리 사용됩니다.

AES

AES (Advanced Encryption Standard)

2001년 미국 정부(NIST)에 의해 표준으로 채택된 가장 널리 사용되는 대칭 암호화 알고리즘입니다. AES는 128, 192 또는 256비트 키를 사용하여 고정된 128비트 블록 단위로 데이터를 암호화합니다.

2FA

Two-Factor Authentication

A security process requiring two distinct forms of identification — typically a password and a code from a separate device.